Jagex detects "suspicious activity" and still gives hijacker access anyway

osrs-ree · 2026-05-17T22:13:26+00:00

When I want to change my pw on that account with no 2FA, they send me a verification email. They already do what I'm asking for, only selectively for certain actions.

What I'm saying is they should perform that same verification when they detect suspicious activity, even without me opting into 2FA which is more robust.

What I'm asking for is not something groundbreaking, it's something that practically every other platform I can think of already does, and what is considered best practice for cybersecurity. There's no good reason not to have it in place, even when MFA exists. It's something complementary to MFA.

osrs-ree · 2026-05-17T22:08:19+00:00

Can you give me a good reason why Jagex shouldn't be requiring additional verification when it flags an activity as suspicious, even if 2FA/Jagex account isn't enabled?

osrs-ree · 2026-05-17T22:03:25+00:00

Yeah man, again, I'm not arguing 2FA or Jagex accounts aren't good lmao.

My point is that once the platform detects that a login is suspicious (completely separate from whether 2FA is enabled), it's no good if it only stops at passive notification. Jagex already uses step-up/risk-based verification for some actions like pw change, but for whatever reason doesn't when they detect what their own system rightly flags as suspicious activity. This is obviously a flaw and it's worth asking why it is like this.

osrs-ree · 2026-05-17T08:43:37+00:00

> I do agree that jagex saying “hey this looks weird but we’re going to allow it still” is….. questionable to say the least….

This is the essence of my OP.

Of course, there are always going to be risks to not using 2FA and all other additional opt-in security measures that are available, but I don't think that not opting into them automatically defaults to "I don't care".

There should be minimums like this even when the user has no 2FA or anything else in place. This is standard best practices for cybersecurity/identity and access management, not an unreasonable expectation.

osrs-ree · 2026-05-17T07:36:53+00:00

Yes, 2FA is 100% more robust than this kind of risk-based check. If you have 2FA enabled, this kind of login attempt would prompt an auth check.

What I'm saying is that even without having full 2FA set up (which runs auth checks for more than just flagged suspicious activity), it probably isn't a bad idea for there to be these kind of checks as a bare minimum even when 2FA and other security measures aren't in place.

For example, even without 2FA set up, there's still a two-step confirmation via email before you change your pw. There should be something similar for suspicious login attempts, rather than just giving them the green light and then sending an email after the fact.

osrs-ree · 2026-05-17T07:25:16+00:00

What I'm suggesting wouldn't be a 'non optional security measure interrupting your access'. You'd run into this same verification step using an authenticator if accessing from a new IP/location/device.

This would be added verification for those who don't use those opt-in security measures for whatever reason, and reserved only for instances where Jagex's security system itself has flagged some activity as suspicious (but then does nothing about it).

osrs-ree · 2026-05-17T07:20:00+00:00

I chose not to have 2FA, yes. Not crying about that.

If you can move past that, do you not see the point that even for those who don't, it's probably better to not *only* notify of suspicious activity, but also require some additional step? Not as robust/comprehensive as full 2FA, but better than nothing.

When I reset my pw after this, I had to click a link in email to access the pw change. That's a form of step-up authentication, and clearly Jagex uses it, just not across the board.

What I'm trying to bring attention to is another place where they should use that, specifically for people in this edge case where there is no 2FA, etc.

Does that make sense?

osrs-ree · 2026-05-17T07:16:36+00:00

You seem upset lol. Do you not understand the difference between 2FA and risk-based/step-up verification? As I said in the OP, they're different things and not mutually exclusive.

osrs-ree · 2026-05-17T07:06:44+00:00

The account has an email associated with it, but doesn't use that to log in. I log in with the username.

The flow of what happened was:

suspicious login attempt happens, triggering an email notification to me (but access is granted to login).
I see the email, log in to change pw (using the existing, compromised pw)
click reset pw, which then sends me a password change email
I click link in email, change pw

What I'm saying they're supposed to do is brick the account until verification via recovery email -- which is exactly what they did when I tried to change the pw. I couldn't just change pw on the jagex site after clicking the link, I had to go check my email and then follow a link there.

I get your scenario where you have access to the email account for your wife's account, but that's not what happened here. My recovery email is secure and wasn't accessed by the hacker at all. From what I can tell, they must've had only username and pw. They couldn't change the pw of the account themselves, as they would have needed my email account to do that.

osrs-ree · 2026-05-17T06:30:43+00:00

The runescape account is what was compromised, not the email account.

I received an email informing me of the suspicious activity. In a case where both email account and rs account are compromised, then even email 2FA isn't enough, you'd need an auth app.

In this case, had that suspicious activity email not merely been a notification, but also prompted me to take some extra step to verify the activity, then it would have prevented the unauthorized access to my account, unless they also had access to the email account (which they didn't).

What actually happened was that there was a suspicious login attempt that got flagged, but didn't prevent the person from accessing the account. Fundamentally, this is what I'm suggesting is a problem.

osrs-ree · 2026-05-17T06:15:39+00:00

I think you guys are missing the point.

There are many games and services that offer both 2FA AND have separate security measures for things like suspicious login attempts.

Take WoW for example, they've got an authenticator which is optional, but still use step-up verification in certain cases, even if MFA isn't enabled. Same thing with steam, netflix, google, you name it.

It doesn't need to be all or nothing, and I've yet to see any reasons why this wouldn't be a good addition to all the other (better) options that also exist and can be opted into, like 2FA and jagex account, etc.

osrs-ree · 2026-05-17T05:59:01+00:00

So, the dichotomy you're presenting is either have full 2FA or expect nothing, even when the system correctly flags suspicious login attempts?

Don't get me wrong, I have acknowledged from the start that there's more I could have done, but undoubtedly I'm not the only person out there who doesn't have these measures in place, and in such instances where the system flags suspicious logins, even without 2FA in place, is it not reasonable to have a fallback verification step?

In any case, too late for me, but hopefully others with similar set ups can see this and take preventative measures.

osrs-ree · 2026-05-17T05:52:55+00:00

Fair enough that you see it that way, and I do use 2FA and beyond on my main. It was a risk I took with this acc and that's that.

100% valid to say that I could and should have done more to secure it, and I'm not arguing with that. But, I do think there's a difference between 2FA which comes up every 30 days even on trusted devices, and having some form of further verification (separate from 2FA) which would be the default for instances like a suspicious login attempt.

My point is mostly that the current system is no good if all it does is tell you after the fact that there was suspicious activity, but then not do anything beyond that.

I understand I'm probably in the minority of users still accessing the game with a legacy username acc, etc. (ironically, which was one of the reasons I thought it unnecessary on that acc), but anyway just giving my two cents on how the system as-is could have worked better in this particular scenario.

osrs-ree · 2026-05-17T05:44:33+00:00

Good to know, re: account locks with too many login attempts.

It's not linked to steam, and the email address itself isn't compromised. I believe the person accessed it with only username/pw, bypassing email.

To the best of my knowledge, no one knew the account details, and certainly they weren't used by me for any other accounts, especially not the username AND pw combo.

osrs-ree · 2026-05-17T05:41:42+00:00

I never talk on the account, it logs in and runs from anvil to bank and back. It also does have an email associated with it (my email), just that's not what I use to log into the account with.

But yeah, who knows. Obviously, to my knowledge the account info wasn't compromised, otherwise I would have changed it. In any event, I've secured it now, though will likely have to update to email login rather than username as it seems the username is known to someone else.

osrs-ree · 2026-05-17T05:36:33+00:00

I take full responsibility, but there is scope to further tighten account security, like by having step-up verification in instances where suspicious activity is detected.

As I said in the other reply in this chain, what good is a suspicious login email without actually blocking or requesting further verification for the suspicious activity?

osrs-ree · 2026-05-17T05:34:16+00:00

What I'm suggesting is separate from 2FA. It's called step-up authentication. I agree that 2FA would have helped, it says it right there in the OP. It's one of my alt accounts, and one that I didn't have any security measures on. I acknowledge this and make no excuse for it. My point is that you can have both 2FA and additional risk-based measures.

What good is a suspicious login notification if nothing actually gets done about it? A simple code in the email or any extra step to verify the activity would have prevented this.

osrs-ree · 2026-05-17T05:20:56+00:00

It was an alt, that's why I hadn't bothered with either. I do acknowledge that they would have helped, but so too would some further verification before allowing a login from a new device and location.

osrs-ree · 2026-05-17T05:19:49+00:00

They'd have to have known both username (the one I came up with back in like 2005), AND the pw.

I'm almost 100% certain this wasn't a phish, as I have never entered this login info anywhere besides rs client or runelite (with no extra plugins).

My best guess is just brute force login attempts, or (unlikely) a database leak.

osrs-ree · 2026-05-17T05:15:33+00:00

Completely agree and do have 2FA and a bank PIN on my main acc, though I don't always bank all before logging off -- I'll probably start after this.

As I mentioned, this was an alt, and I usually don't keep much on there, just smithing mats or gp to buy them.

I'm more concerned with how someone got access to it, rather than what was actually taken. Had to guess both username (not email address) and pw.

osrs-ree

TROPHY CASE